SQL Server Label Security Toolkithttp://sqlserverlst.codeplex.com/project/feeds/rssThe Label Security Toolkit provides tools and techniques for using Microsoft&#174; SQL Server &#40;versions 2005 through 2012&#41; to implement row-level security &#40;RLS&#41; and cell-level security &#40;CLS&#41; based on security labels. The major components of the Toolkit are&#58; &#8226;&#9;The Label Policy Designer application &#8226;&#9;Documentation &#8226;&#9;Examples showing the implementation of row- and cell-level security in different scenarios Created Unassigned: Simple solution for labeling each row without user security level requirement [13504]http://sqlserverlst.codeplex.com/workitem/13504I have a need to label the row of data as the data should be marked with a security level not the user. Is there a simple way to do this with label security toolkit&#63; The user is irrevellent and has no bearing and this should label all data thru out the database at the row level both previous and each additional insert.<br />WKSec_2015Tue, 17 Mar 2015 20:08:52 GMTCreated Unassigned: Simple solution for labeling each row without user security level requirement [13504] 20150317080852PNew Post: vwVisibleLabels not populating?http://sqlserverlst.codeplex.com/discussions/575520<div style="line-height: normal;"><strong>artrask wrote:</strong><br />
<blockquote>
Be aware that there are no records in tblUniqueLabel and tblUniqueLabelMarking until you create labels as part of populating labelled data in your database. The main way to do this is with an application call to usp_GetSecLabelID or usp_GetSecLabelDetails. This sproc will either return the ID of an existing label that matches the inbound argument or create entries for a new tblUniqueLabel record and return the new ID. This is deliberate - it would not be a good idea to try to populate these tables with all possible labels. The number of resulting rows could be very large and affect performance. And there is no good reason to do this - most applications tend to use a small number of actual labels, as compared to the number of possible labels. Make sense? You can check the samples in the toolkit for illustration of inserting data along with calls to usp_GetSecLabelID. Also, make sure your login is not sysadmin. The T-SQL IS_MEMBER() function always returns 0 when the current user context is sysadmin, regardless of membership in other roles. So vwVisibleLabels always is empty if you are connected as sysadmin.<br />
</blockquote>
Interesting. So currently on my Frontend I have a form that Queries &quot;TableA&quot; to provide specific columns. I am trying to replace &quot;TableA&quot; with a view of &quot;TableA&quot; that only shows records with the specified SecLabelID. If tblUniqueLabel and tblUniqueLabel only show new records that are added with the SecLabel, is there anyway to populate them with existing records I retroactively assign a SecLabelID? Thanks a Bunch.<br />
</div>UnderTheAirWed, 17 Dec 2014 01:45:20 GMTNew Post: vwVisibleLabels not populating? 20141217014520ANew Post: vwVisibleLabels not populating?http://sqlserverlst.codeplex.com/discussions/575520<div style="line-height: normal;">Be aware that there are no records in tblUniqueLabel and tblUniqueLabelMarking until you create labels as part of populating labelled data in your database. The main way to do this is with an application call to usp_GetSecLabelID or usp_GetSecLabelDetails. This sproc will either return the ID of an existing label that matches the inbound argument or create entries for a new tblUniqueLabel record and return the new ID. This is deliberate - it would not be a good idea to try to populate these tables with all possible labels. The number of resulting rows could be very large and affect performance. And there is no good reason to do this - most applications tend to use a small number of actual labels, as compared to the number of possible labels. Make sense? You can check the samples in the toolkit for illustration of inserting data along with calls to usp_GetSecLabelID. Also, make sure your login is not sysadmin. The T-SQL IS_MEMBER() function always returns 0 when the current user context is sysadmin, regardless of membership in other roles. So vwVisibleLabels always is empty if you are connected as sysadmin.<br />
</div>artraskTue, 16 Dec 2014 19:20:38 GMTNew Post: vwVisibleLabels not populating? 20141216072038PNew Post: vwVisibleLabels not populating?http://sqlserverlst.codeplex.com/discussions/575520<div style="line-height: normal;">I'm implementing Row-level security with this toolkit and whitepaper but I'm having an issue with vwVisibleLabels not populating. I know my permissions are right and they all show up in tblMarking, but tblUniqueLabelMarking and tblUniqueLabel are blank when I look at them and by association vwVisibleLabels shows up empty as well. Anyone know why this happens? I thought it would show all security labels I have access to? Thanks a bunch.<br />
</div>UnderTheAirMon, 15 Dec 2014 23:08:50 GMTNew Post: vwVisibleLabels not populating? 20141215110850PUpdated Release: SQL Server Label Security Toolkit 1.5 (Mar 03, 2012)https://sqlserverlst.codeplex.com/releases/view/83460<div class="wikidoc">SQL Server Label Security Toolkit installer.</div><div class="ClearBoth"></div>artrask_msftMon, 25 Aug 2014 18:02:43 GMTUpdated Release: SQL Server Label Security Toolkit 1.5 (Mar 03, 2012) 20140825060243PReleased: SQL Server Label Security Toolkit 1.5 (Mar 03, 2012)http://sqlserverlst.codeplex.com/releases/view/83460
<div class="wikidoc">SQL Server Label Security Toolkit installer.</div>
<div></div>
Mon, 25 Aug 2014 18:02:43 GMTReleased: SQL Server Label Security Toolkit 1.5 (Mar 03, 2012) 20140825060243PNew Post: Does the "SQL Server Label Security Toolkit 2.0" work with SQL 2012http://sqlserverlst.codeplex.com/discussions/446996<div style="line-height: normal;">My fault ... Did not notice the additional docs and samples in the app directory ... Works Great, and thanks<br />
</div>AllenEllisonThu, 13 Jun 2013 20:39:00 GMTNew Post: Does the "SQL Server Label Security Toolkit 2.0" work with SQL 2012 20130613083900PNew Post: Does the "SQL Server Label Security Toolkit 2.0" work with SQL 2012http://sqlserverlst.codeplex.com/discussions/446996<div style="line-height: normal;">I have been trying today to use the documentation along with the Toolkit to test out RLS. I am having no luck as it appears that some steps may have been skipped or changed. Has anyone been successful using this in a SQL 2012 environment?<br />
</div>AllenEllisonThu, 13 Jun 2013 19:45:02 GMTNew Post: Does the "SQL Server Label Security Toolkit 2.0" work with SQL 2012 20130613074502PNew Post: Adding a new Category post go livehttp://sqlserverlst.codeplex.com/discussions/391669<div style="line-height: normal;">After reading the new white paper , it is prohibited by design to add new category .So this case is not exist .
<br />
<br />
But I have new question here :-
<br />
<br />
I built new label policy and I applied it on an existing database , which already have data . How I can label the existing records with labels ? is it doable ?
<br />
<br />
I will be so grateful if anyone answered me .<br />
</div>ABUKHAZNEHWed, 13 Feb 2013 11:34:32 GMTNew Post: Adding a new Category post go live 20130213113432ANew Post: Adding a new Category post go livehttp://sqlserverlst.codeplex.com/discussions/391669<div style="line-height: normal;">Hi
<br />
<br />
I was thinking about the same issue , you are asking about .
<br />
Did you have any answers yet ?<br />
</div>ABUKHAZNEHTue, 12 Feb 2013 21:03:46 GMTNew Post: Adding a new Category post go live 20130212090346PReviewed: SQL Server Label Security Toolkit 2.0 (feb 01, 2013)http://sqlserverlst.codeplex.com/releases/view/83460#ReviewBy-tojaRated 1 Stars &#40;out of 5&#41; - your download get an older version of toolkit &#40;1.5.1&#41;. This version doesn&#39;t work with SQL Server 2012tojaFri, 01 Feb 2013 09:34:42 GMTReviewed: SQL Server Label Security Toolkit 2.0 (feb 01, 2013) 20130201093442AReviewed: SQL Server Label Security Toolkit 2.0 (feb 01, 2013)http://sqlserverlst.codeplex.com/releases/view/83460#ReviewBy-tojaRated 1 Stars &#40;out of 5&#41; - your download get an older version of toolkit &#40;1.5.1&#41;tojaFri, 01 Feb 2013 08:25:34 GMTReviewed: SQL Server Label Security Toolkit 2.0 (feb 01, 2013) 20130201082534ANew Post: Issue with tn_RemoveMarkinghttp://sqlserverlst.codeplex.com/discussions/429908<div style="line-height: normal;">
<p>Ah silly me - it switches on the cardinality.&nbsp;</p>
</div>Zack321Thu, 17 Jan 2013 15:00:30 GMTNew Post: Issue with tn_RemoveMarking 20130117030030PNew Post: Issue with tn_RemoveMarkinghttp://sqlserverlst.codeplex.com/discussions/429908<div style="line-height: normal;">
<p>Hi,</p>
<p>Is there an issue with the output for this function fn_RemoveMarking?</p>
<p>It seems to produce inconsistent sql for each category.</p>
<p>For some the modify() is &quot;delete /Label/CAT1&quot;</p>
<p>and then for others it is &quot;delete /Label/CAT2[.sql:variable(&quot;@marking&quot;)]&quot;</p>
<p>Assume they should be like the second type?</p>
<p>Thanks</p>
<p>Zack</p>
</div>Zack321Thu, 17 Jan 2013 14:50:51 GMTNew Post: Issue with tn_RemoveMarking 20130117025051PNew Comment on "Documentation"http://sqlserverlst.codeplex.com/documentation?&ANCHOR#C25261new version &#40;January2012&#41;&#10;http&#58;&#47;&#47;download.microsoft.com&#47;download&#47;8&#47;8&#47;0&#47;880F282A-AA4E-4351-83C0-DFFA3B56A19E&#47;SQL_Server_2012_RLS_and_CLS_White_Paper_January2012.docxchgFri, 12 Oct 2012 08:54:20 GMTNew Comment on "Documentation" 20121012085420ASource code checked in, #79962http://sqlserverlst.codeplex.com/SourceControl/changeset/changes/79962Upgrade&#58; New Version of LabDefaultTemplate.xaml. To upgrade your build definitions, please visit the following link&#58; http&#58;&#47;&#47;go.microsoft.com&#47;fwlink&#47;&#63;LinkId&#61;254563Project Collection Service AccountsMon, 01 Oct 2012 21:14:48 GMTSource code checked in, #79962 20121001091448PSource code checked in, #79961http://sqlserverlst.codeplex.com/SourceControl/changeset/changes/79961Checked in by server upgradeProject Collection Service AccountsMon, 01 Oct 2012 21:08:39 GMTSource code checked in, #79961 20121001090839PNew Post: Label security for multi-tenant hierarchy?http://sqlserverlst.codeplex.com/discussions/350495<div style="line-height: normal;"><p>Hi Alex,</p>
<p>Please take a look at <a href="http://www.techcello.com">www.techcello.com</a>.&nbsp; We have implemented multi-tenant hierarchy and expose it as API.&nbsp; Ours is a platform built on top of .NET.&nbsp; So, if you would like to build an application involving tenant hierarchy, you can easily consume our APIs and build your business application quickly.</p>
<p>Few of the use cases:</p>
<p>- Distributor/dealer kind of business applications.&nbsp; An enterprise has multiple distributors (at top level) in different countries/cities and they have sub-dealers to reach out to end customers.&nbsp; If you are trying to build an inventory system or customer relationship system or billing system for this kind of setup, it can quite become tricky with privileges and data access.&nbsp;</p>
<p>- Loyalty management system for a chain of stores:&nbsp; Imagine an ISV trying to build a loyalty management system providng services for multiple brands and multiple stores.&nbsp; You need to have some kind of tenant hierarchy between stores.</p>
<p>Thank you.</p>
<p><a href="mailto:info@techcello.com">info@techcello.com</a></p>
<p>&nbsp;</p></div>shankarnrkSat, 15 Sep 2012 11:18:04 GMTNew Post: Label security for multi-tenant hierarchy? 20120915111804ANew Post: Adding a new Category post go livehttp://sqlserverlst.codeplex.com/discussions/391669<div style="line-height: normal;">
<p>Hi</p>
<p>If we need to add a new category after the system has gone live, what is the recommended way to do this? I can't see any function that enables this and I imagine that adding a new record in the category table isn't enough due to references in views/functions/sp's.</p>
<p>Is the only way to maintain this through the Desginer? This will involve dropping everything in the target security database and then running the &quot;Apply&quot; process. Correct me if I'm wrong here.</p>
<p>Many Thanks.</p>
<p>Rahil</p>
</div>rahilbukhariWed, 15 Aug 2012 10:31:57 GMTNew Post: Adding a new Category post go live 20120815103157ANew Post: Label security for multi-tenant hierarchy?http://sqlserverlst.codeplex.com/discussions/350495<div style="line-height: normal;">
<p>Hi,</p>
<p>We're looking at possible solutions to provide some sort of hierarchical multi tenancy.</p>
<p>I'm starting to realise that this isn't a pure multi-tenancy problem, as my research generally shows that multi tenancy is more around creating complete segmentation between tenants - whereas we need this to act in a hierarchy... so perhaps this could be
more though of as a row level access problem?</p>
<p>For example, people within a unit at the top of the hierarchy can see data below them.</p>
<p>But also people within a unit at the top can create data which they can give read access to people below them in the hierarchy.</p>
<p>It seems unwise to come up with our own architecture for this problem when if we apply our problem to the labelling concept.</p>
<p>However, this sort of labelling seems appropriate when the are controllable number of predefined &quot;markings&quot; (I think I've got the right terminology), but would this scale well when applied to business units where there would be hundreds with a large depth?</p>
<p>-thanks for your help</p>
<p>Alex.</p>
<p>&nbsp;</p>
</div>alexkeyThu, 29 Mar 2012 14:46:13 GMTNew Post: Label security for multi-tenant hierarchy? 20120329024613P